Use common-debian-service-https-redirect * jenkins.debian.org

<VirtualHost *:443>
	ServerName jenkins.debian.org
	ServerAdmin debian-admin@lists.debian.org

	Use common-debian-service-ssl jenkins.debian.org
	Use common-ssl-HSTS
	Use http-pkp-jenkins.debian.org

	SSLCACertificateFile /var/lib/dsa/sso/ca.crt
	SSLCARevocationCheck chain
	SSLCARevocationFile /var/lib/dsa/sso/ca.crl
	SSLVerifyClient optional

	SSLOptions +StdEnvVars

	<IfModule mod_userdir.c>
		UserDir disabled
	</IfModule>
	ErrorLog /var/log/apache2/jenkins.debian.org-error.log
	CustomLog /var/log/apache2/jenkins.debian.org-access.log privacy
	ServerSignature On
	<IfModule mod_proxy.c>
		RequestHeader unset X-Forwarded-User
		RequestHeader set X-Forwarded-User "%{SSL_CLIENT_S_DN_CN}e" env=SSL_CLIENT_S_DN_CN
		<Proxy *>
			Order deny,allow
			Allow from all
		</Proxy>
		AllowEncodedSlashes NoDecode

		<Location /http-auth-jenkins/>
			AuthName "Debian Jenkins"
			AuthType Digest
			AuthDigestProvider file
			AuthUserFile /srv/jenkins.debian.org/etc/htdigest
			Require valid-user

			RewriteEngine On
			# see the Apache documentation on why this has to be lookahead
			RewriteCond %{LA-U:REMOTE_USER} (.+)
			# this actually doesn't rewrite anything. what we do here is to set RU to the match above
			# "NS" prevents flooding the error log
			RewriteRule .* - [E=RU:%1,NS]
			RequestHeader set X-Forwarded-User %{RU}e

			ProxyPass http://127.0.0.1:8080/ retry=15 nocanon
			ProxyPassReverse http://127.0.0.1:8080/
			ProxyPassReverse http://jenkins.debian.org/http-auth-jenkins/
		</Location>

		ProxyPass / http://127.0.0.1:8080/ retry=15 nocanon
		ProxyPassReverse / http://127.0.0.1:8080/
		ProxyPassReverse / http://jenkins.debian.org/
		ProxyRequests     Off
		ProxyPreserveHost on
		RequestHeader set X-Forwarded-Proto "https"
		RequestHeader set X-Forwarded-Port "443"
	</IfModule>
</VirtualHost>